What is AI agent governance?
AI agent governance is the org-wide policy that decides which agents are approved, on what data, with what signoff, and how they're audited over time. It sits above per-agent guardrails: guardrails intercept actions at runtime, governance decides whether the agent ships in the first place.
What is AI agent governance?
AI agent governance is the org-wide policy layer that decides which agents can run, on what data, with what approvals, and how risks are tracked over time. It sits above per-agent guardrails. Guardrails intercept actions at runtime for one agent; governance decides whether that agent exists, who owns it, and what data it ever sees.
The four artifacts a reviewer asks for
- Agent inventory. A versioned registry of every deployed agent: underlying model, prompts, tools, retrieval sources, owner, deploy timestamp. You cannot govern what you cannot see.
- Risk classification. Per-agent rating (low, medium, high) tied to data sensitivity and action reversibility. An agent that drafts internal text rates differently from one that issues refunds or touches PHI.
- Approval workflow. Named signoff for new agents and material changes, with diffs in version control. Destructive actions (deletes, payments, broadcasts) require explicit human gates.
- Continuous monitoring. Per-request traces of tool calls, drift detection, and periodic re-review.
How it maps to existing standards
NIST AI RMF organizes the same work as Govern, Map, Measure, Manage. SOC2 CC2 (system operations) and ISO 27001 A.5/A.6 already require the inventory, ownership, and review structures, so agents slot into existing audit programs. MITRE ATLAS catalogs the agent-specific attack surface (prompt injection, tool misuse, data exfiltration) that risk classification has to address.
For leaders
Governance is what lets the org say yes to AI agents. Without it, every deployment is a bespoke risk review.
Last updated: May 20, 2026